IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
- Port `sq cert list`, `sq pki authenticate` and `sq pki lookup` to
the user ID designator framework. See #434.
- This changes the user ID parameter from a positional parameter
to a named parameter, and drops the `--email` flag. See #318.
- Port `sq pki authenticate` and `sq pki identify` to the cert
designator framework. See #207.
- This changes the certificate parameter from a positional parameter
to a named parameter. See #318.
- Port `sq key userid revoke` to the user ID designator framework.
See #434.
- This replaces the `--add-userid` flag with the `--add-userid`,
`--add-email` and `--add-name` arguments. See #318.
- This change also makes a user ID mandatory, which fixes#428.
- Commands like `sq pki vouch certify` allow designating a user ID
by email address. Currently, if multiple self-signed user IDs
include the specified email address, all are used. Change the
semantics of `--email` and --add-email` to only match
unambiguously.
- Fixes#309.
- `sq pki link add`, `sq pki link authorize`, `sq pki vouch
certify`, and `sq pki vouch authorize` have a `--add-userid` flag.
- Replace the `--add-userid` flag with an `--add-userid` argument,
and an `--add-email` argument.
- This change means that a flag does not change how an argument is
interpreted. It also makes it more explicit whether a user ID
should be added, because `--userid` and `--email` could be given
multiple times.
- See #309 and #318.
- When `sq pki authenticate` fails, it is helpful to see as much
details as possible. As such, include `--show-paths` when calling
`sq pki authenticate`. `--show-paths` shows more information, but
doesn't change the command's behavior.
- The flag `sq sign --detached` is now called `sq sign
--signature-file`.
- The flag `sq sign --clearsign` is now called `sq sign
--cleartext`.
- Both `sq sign` and `sq verify` now require an explicit mode,
one of `--signature-file`, `--message`, or `--cleartext`.
- Fixes#430.
- Previously, the signers cert designators added to the set of certs
in the store, and marked them as trusted.
- Change this so that only the designated certs are used to verify
the signatures, and they are marked as trusted. This allows
useful semantics like requiring a signature from a set of
explicitly provided signers.
- If no signers are designated, the cert store is consulted.
- Fixes#248.
- Add a new argument, `--cli-version`, which the user can use to
request a particular semver-compatible version of the CLI.
- This enables breaking changes to the CLI, and enables `sq` to
support multiple CLI versions.
- Fixes#75.
- `sq key subkey export` currently takes a list of keys to export.
This is ambiguous if a key is associated with multiple certificates.
- Add a new required parameter, `--cert`, which specifies what
certificate to export. The specified keys must be attached to that
certificate under the NULL policy.
- This change means that `sq key subkey export` can only export a
single certificate at a time.
- As the implementations of `sq key export` and `sq key subkey
export` have diverged, don't try to consolidate them any more.
- Fixes#386.
- If a component is not valid according to the policy, don't extend
the expiration time. Suggest using `sq cert lint`, and then error
out.
- Fixes#363.
- Move the duration parsing code from `Expiration` to `Time`, which
`Expiration` already uses for absolute timestamps.
- Support negative durations, and to be more precise rename the
`Duration` variant to `Offset`.
- Fixes#268.
- When working with older messages, it may be necessary to use a
different cryptographic policy. Add an option, `--policy-as-of`, to
select the cryptographic policy that was in effect at the specified
time.
- Fixes#123.
Co-authored-by: Neal H. Walfield <neal@sequoia-pgp.org>
- `Sq::encrypt` and `Sq::decrypt` only work with in-memory buffers.
- Introduce `FileOrBytes`, which represents a path or bytes. Change
`Sq::encrypt` and `Sq::decrypt` to use them, and thus support
messages stored in files in addition to inline messages.
- Signature verification output is confusing. The main problem is
the terminology. It talks about "good signatures", "good
checksums", and "bad checksums," but it is unclear what good or
bad means, and what a checksum is. Instead, talk about
"authenticated signatures," "unauthenticated signatures," and
completely drop the term "checksum" and just say that the
certificate for the alleged signer is missing.
- Fixes#4.
- Currently, when the user requests gossip, we show all the found
paths as being untrusted, even though some can be authenticated.
This is confusing.
- When getting gossip paths, specify the trust roots. As of
`sequoia-wot` 0.13.0, this will also authenticate any returned
paths.
- Fixes#338.
- Displaying them on one line is infeasible: first, v6 fingerprints
will be 64 hex digits long, filling a typical line almost by
itself. Second, many of the composite user IDs in use today are
quite long by itself, and wrapping user IDs is not nice.
- Instead, display them in two lines, with line art emphasizing the
fact that they are a tuple.
- Merge `sq autocrypt import` has been merged into `sq cert import`.
- Remove `sq autocrypt decode` and `sq autocrypt encode-sender`
without substitute.
- Fixes#187.
- When exporting certificates selected by user IDs (i.e. --email,
--userid, --domain, or --grep), authenticate the bindings and
export only those certificates that can be authenticated.
- Fixes#182.
- `sq pki link authorize` certifies all self-signed user IDs when
no user IDs are provided. Add a test that checks that it silently
ignores invalid self-signed user IDs (e.g., revoked user IDs) in
this case.
- `sq pki vouch authorize` certifies all self-signed user IDs when
no user IDs are provided. Change it to silently ignore invalid
self-signed user IDs (e.g., revoked user IDs) in this case.
- Split authorization functionality out of `sq pki link add` into a
new command, `sq pki link authorize`.
- Align `sq pki link authorize`'s arguments with `sq pki authorize`
arguments.
- `sq pki link retract` has a positional argument for specifying a user
ID directly or by email address. Remove it in favor of the named
arguments, `--userid` and `--email`.
- See #318.
- `sq pki link add` has a positional argument for specifying a user
ID directly or by email address. Remove it in favor of the named
arguments, `--userid` and `--email`.
- See #318.
- `sq pki certify` and `sq pki authorize` are for creating
third-party certifications.
- Error out if the certifier is the same as the certificate being
certified.
- Previously `sq pki certify` could create certifications, and mark
a certificate as a trusted introducer (when the user set `--depth`
to be greater than zero). Anecdotal evidence indicates that
combining these two actions in a single command is confusing.
- Split the latter functionality off, and put it in a new subcommand,
`sq pki authorize`.
- See https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/249#note_1865470753
- `sq pki certify` uses a positional argument to specify the
certificate to certify. Change it to be a named argument, either
`--cert`, or `--cert-file`.
- See #318.
- `sq pki certify` uses a positional argument to specify the user
ID to certify. Change it to be a named argument, either
`--userid`, or `--email`.
- This changes the meaning of `--email` from a flag that changes how
`--userid` interprets its argument, to an argument.
- This also allows multiple user IDs to be specified at once.
- See #318.
- Pull similar functionality out of the implementation of `sq pki
certify`, `sq pki link add`, and `sq pki link retract`, and put it
in a new module, `common::pki::certify`.
- This slightly changes the human readable output.
- By splitting `--handle` into `--cert` and `--key`, where the
former only matches on primary keys, and the latter matches on
both primary keys and subkeys.
- Fixes#287.
- It was possible to use `--allow-not-alive-certifier` and
`--allow-revoked-certifier` to force `sq pki certify` to use
expired and revoked certificates.
- Consistent with the principle that `sq` should support a lot, but
not everything, remove them.
- Fixes#365.
- When setting a certificate's expiration time, we update each user
ID's self signature. If a user ID is revoked, creating a new self
signature will "unrevoke it."
- Skip user IDs that are revoked.
- When setting a certificate's expiration time, we update the
direct key signature, and each user ID's self signature. This
fails if a user ID doesn't have a valid self signature.
- User IDs, however, don't need to be self signed! For instance, a
user ID may only have a third-party certification.
- Relax `sq key expire` to only add a self signature for a user ID,
if the user ID already has a self signature.
- Never call `exit`. If there is an error, propagate the error to
the caller. This ensures that any clean up handlers (like
flushing state to disk) are run.
- When adopting a bare key, the creation time is the Unix epoch.
If the user doesn't manually override this using
`--creation-time`, use the current time (while respecting
`--time`).
